g03m0nBlind SQL Injection at Rouyi framework ≤ v4.7.9
Blind SQL Injection at Rouyi framework ≤ v4.7.9
1. Description and Impact
The Blind SQL Injection vulnerability occurs in the file com/ruoyi/generator/controller/GenController specifically at the endpoint /tool/gen/createTable. Manipulating this file allows an attacker to execute arbitrary SQL commands, which can endanger the security, integrity, and availability of the system.
SQL injection vulnerability in /tool/gen/createTable in Ruoyi Framework at version ≤ 4.7.9 allows attackers to execute arbitrary SQL commands via the sql parameter.
| Type | Required Authentication | Version Affected |
|---|---|---|
| SQL Injection | Yes | All versions |
2. Root Cause Analysis
After patching vulnerabilities CVE-2022-4566
with commit https://gitee.com/y_project/RuoYi/commit/167970e5c4da7bb46217f576dc50622b83f32b40
, the SQLi vulnerability still exists at the endpoint /tool/gen/createTable as Blind SQLi.
Read my CVE-2022-4566 analyze here
3. Steps to reproduce
Set up environment:
$ git clone https://gitee.com/y_project/RuoYi.git
https://doc.ruoyi.vip/ruoyi/document/hjbs.html
PoC
Log in using the accountadmin/admin123and send a POST request to the endpoint /tool/gen/createTable
Payload:
sql=create table test as select/**/* from sys_job where 1=1 union select/**/sleep(10),2,3,4,5,6,7,8,9,10,11,12,13;
